| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <65a8732e-a569-517b-67c6-8c3670c0aab6@amd.com>
Date: Mon, 16 Jan 2023 17:13:56 +0530
From: "Nikunj A. Dadhania" <nikunj@....com>
To: Zhi Wang <zhi.wang.linux@...il.com>
Cc: linux-kernel@...r.kernel.org, x86@...nel.org, kvm@...r.kernel.org,
bp@...en8.de, mingo@...hat.com, tglx@...utronix.de,
dave.hansen@...ux.intel.com, seanjc@...gle.com,
pbonzini@...hat.com, thomas.lendacky@....com, michael.roth@....com,
David Rientjes <rientjes@...gle.com>, stable@...nel.org
Subject: Re: [PATCH v5] x86/sev: Add SEV-SNP guest feature negotiation support
On 16/01/23 17:09, Zhi Wang wrote:
> On Mon, 16 Jan 2023 13:53:56 +0530
> "Nikunj A. Dadhania" <nikunj@....com> wrote:
>
>> On 13/01/23 17:23, Zhi Wang wrote:
>>> On Thu, 12 Jan 2023 14:11:39 +0530
>>> Nikunj A Dadhania <nikunj@....com> wrote:
>>>
>>
>>>> diff --git a/Documentation/x86/amd-memory-encryption.rst
>>>> b/Documentation/x86/amd-memory-encryption.rst index
>>>> a1940ebe7be5..b3adc39d7735 100644 ---
>>>> a/Documentation/x86/amd-memory-encryption.rst +++
>>>> b/Documentation/x86/amd-memory-encryption.rst @@ -95,3 +95,39 @@ by
>>>> supplying mem_encrypt=on on the kernel command line. However, if BIOS
>>>> does not enable SME, then Linux will not be able to activate memory
>>>> encryption, even if configured to do so by default or the mem_encrypt=on
>>>> command line parameter is specified. +
>>>> +Secure Nested Paging (SNP)
>>>> +==========================
>>>> +
>>>> +SEV-SNP introduces new features (SEV_FEATURES[1:63]) which can be
>>>> enabled +by the hypervisor for security enhancements. Some of these
>>>> features need +guest side implementation to function correctly. The
>>>> below table lists the +expected guest behavior with various possible
>>>> scenarios of guest/hypervisor +SNP feature support.
>>>> +
>>
>>> "guest needs implementation" seems a little bit confusing. I suppose it
>>> means the feature is mandatory for the guest.
>>
>> That is not correct. None of these features are mandatory for the guest.
>> The hypervisor can enable this feature without the knowledge of guest
>> kernel support. So there should be a mechanism in the guest to detect this
>> and fail the boot if needed.
>>
>>> If so, on the second row
>>> guest can boot without it. Some explanation?
>>
>> In the first and second row, HV has not enabled the feature, so the
>> guest should boot fine irrespective of "Guest needs implementation".
>>
>
> Feel free to educate me if I understand correctly or not:
>
> There are two kinds of features in SEV_FEATURES:
>
> 1. Features that HV can freely enable/disable and they won't distrub the guest.
>
> HV | Guest needs impl | Guest has impl | Result
> Y/N N X (not necessary) Boot
>
> 2. Features that a guest has to be aware of and handle when HV enables them.
>
> HV | Guest needs impl | Guest has impl | Result
> N Y X (Dont care) Boot
> Y Y N Fail
> Y Y Y Boot
Yes, that is correct understanding.
Regards
Nikunj
Powered by blists - more mailing lists